Method for the detection and visualization of anomalous behaviors in a computer network

Abstract

A method for the detection of anomalous behaviors in a computer network, comprising the steps of:collecting data relating to connections in a plurality of nodes in a network,sending the data from said nodes to an ADS platform,computing from said data at least one value representative of the anomaly level of the connections of each said node and / or of applications initiating said connections and / or of users,computing a multidimensional chart for visualizing the behavior of a plurality of nodes, applications and / or users in said network, wherein said value representative of the anomaly level is used as a dimension in said chart.

Description

[0001]This application claims the benefit of U.S. Provisional patent application Ser. No. 60 / 737,754 filed Nov. 18, 2005, the complete disclosure of which is hereby expressly incorporated by reference.FIELD OF THE INVENTION[0002]The present invention concerns a method for the detection of anomalous behaviors in a computer network. The present invention also relates to a management and monitoring platform for monitoring anomalous behaviors end events in a computer network.DESCRIPTION OF RELATED ART[0003]Intrusion Detection (ID) methods are known for detecting inappropriate, incorrect, or anomalous activity in a host, in a data flow or in a whole network. Although a distinction is sometimes made between misuse and intrusion detection, whereas the term intrusion is used to describe attacks from the outside and misuse is used to describe an attack that originates from the internal network, the present invention relates to both kinds of attacks, and to other anomalous behaviors that do n...

AI Technical Summary

Benefits of technology

[0019]Visualizing the behavior in a multidimensional chart has among others the advantage that a lot of information may be summarized and displayed on a single page. Using the anomaly level as a dimension in the chart allows for an immediate and intuitive visualization of the most anomalous nodes, applications or users in the network.

[0020]Using criticality as a dimension in the chart allows for an immediate and intuitive visualization of the most critical nodes, applications or users in the network.

[0021]The method of the invention further has the advantage that it may be used to monitor independently the behavior of nodes, users and / or applications. Thus, for example, anomalous behavior may be detected from observations of an application gathered in several nodes, or from the unusual roaming of one user through several nodes.

Problems solved by technology

However, knowledge-based intrusion detection systems are only able to detect known events.

Maintenance of the knowledge base of the intrusion detection system is therefore a time-consuming task.

Also, detection of abuses of privileges by insiders is difficult because no vulnerability is actually exploited by the intruder.

A drawback of is that they tend to generate a lot of false alarms.

The drawback, however, is that they tend to generate a lot of information, thus resulting in even more alarms and false alarms sent to the ADS platform and that need to be manually interpreted by the administrator.

A main drawback of existing intrusion detection systems, especially behavior-based and host-based solutions, is thus that they tend to produce an overflow of information, including many false alarms or alarms about minor events whose severity does not require immediate attention.

In many cases, attacks are correctly detected by the intrusion detection systems, but still succeed because the administrator disregarded or overlooked the alarm.

Images